Knowledge Base::DBSA:2014-0002

Views

Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.

Classification

Rationale: Users utilizing the program must take note to see if they are utilizing a legitimate installation of the software.

Severity: HIGH

Rationale: Utilizing the malicious variant may compromise security of websites and lead to damages.

Spread of Issue: SINGLE-PLATFORM HIGH

Rationale: Most users do not use FTP software, however this has the potential to affect users accessing websites maintained using the software.

Description

FileZilla is an FTP file management utility that provides website and server administrators access to transmit and receive files via FTP (File Transfer Protocol). It has been reported that the software has had a fake variant released that poses as being the software, the fake variant is fully operational and will operate as expected but contains hooks that transmit any logins and passwords entered to a third party through largely undetectable means.

This has implications whereas websites administered or maintained using the fake variant may be maliciously compromised and altered to host malware, illegal activities or redirect users to compromised websites.

Mitigation/Solution

It is advised to utilize official sources only for downloading the software and be sure that any versions already installed do not contain the files in the "C:\Program Files\FileZilla FTP Client" or "C:\Program Files (x86)\FileZilla FTP Client" directories:

ibgcc_s_dw2-1.dll

libstdc++-6.dll

The installation package of the software may be verified by checking which version of the NullSoft installer it utilizes. The legitimate version is v2.45-Unicode while the malicious version is v2.46.3-Unicode.

If any credentials have been potentially compromised, it is advised to contact your server or system administrator or provider to reset any passwords that may have been compromised, including any attached web control panel passwords.

Users of small to medium websites are advised to forward this advisory to their webmasters.